Date: Mon, 23 Oct 2000 10:25:27 +0100 (BST) From: robmel@innotts.co.uk To: FreeBSD-gnats-submit@freebsd.org Subject: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Message-ID: <20001023092527.2D3FA7038@muffin.highwire.local>
next in thread | raw e-mail | index | archive | help
>Number: 22238
>Category: bin
>Synopsis: User PPP "deny_incoming" option does not deny incoming connections
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 23 02:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Robin Melville
>Release: FreeBSD 4.1.1-STABLE i386
>Organization:
Nottingham Alcohol & Drug Team
>Environment:
FreeBSD muffin.highwire.local 4.1.1-STABLE FreeBSD 4.1.1-STABLE #0: Fri Oct 20 02:59:08 BST 2000 root@muffin.highwire.local:/usr/obj/usr/src/sys/muffin i386
>Description:
User PPP has the option to prevent any connections to be established from the
remote end. The options "nat enable yes" and "nat deny_incoming yes" should
place ppp in this state. It does not. PPP uses the libalias library which
correctly returns the status flag PKT_ALIAS_IGNORED when an incoming
connection is attempted. However ppp does not drop the packet as advertised.
The implications of this are serious for users who believe they are behind
a one-way firewall. In fact, all their services which are not explicity
bound only to the loopback and/or internal interfaces are fully exposed on the
Internet and can be connected to. While this does not bypass any other
security which may be in place on these services it markedly increases their
ppp host's vulnerability to unauthorised access using other known or
unknown exploits.
>How-To-Repeat:
Set up PPP with "nat enable yes" and "nat deny_incoming yes". Cause ppp to
dial up/make a remote connection. Use a port scanner from elsewhere on the
Internet/remote network or attempt to connect to an internally available
service. Services are both visible and available.
>Fix:
Alter /usr/src/usr.sbin/ppp/nat_cmd.c as follows:
--- nat_cmd.c Sun Oct 22 11:22:01 2000
+++ nat_cmd+.c Sun Oct 22 11:53:49 2000
@@ -422,11 +422,14 @@
case PKT_ALIAS_IGNORED:
if (log_IsKept(LogTCPIP)) {
- log_Printf(LogTCPIP, "NAT engine ignored data:\n");
+ log_Printf(LogTCPIP, "NAT engine set packet to be ignored:\n");
PacketCheck(bundle, MBUF_CTOP(bp), bp->m_len, NULL, NULL, NULL);
}
+ /* libalias has marked this packet to be ignored. It should be dropped */
+ m_freem(bp);
+ bp = NULL;
break;
-
+
default:
log_Printf(LogWARN, "nat_LayerPull: Dropped a packet (%d)....\n", ret);
m_freem(bp);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001023092527.2D3FA7038>